In previous blog articles, we discussed the importance of using an Interconnection Oriented Architecture™ (IOA™) strategy to localize security services in digital edge nodes to govern multi-party data flows. Interconnection enables private data exchange between businesses, and an IOA Security Blueprint framework secures the interconnection of people, locations, clouds and data. Each digital edge node is a mix of physical and virtual appliances with supporting SaaS-based services that enable you to create tailored security guard rails for specific workload traffic and digital services at strategic geographic locations, placing you in control of your business flows (see diagram below):

An IOA security framework is also vendor-agnostic, which is critical to consolidating and integrating these functions, whether you are protecting data access on-premises or in the cloud.

An IOA Security framework at the edge begins with implementing the first three design patterns from the IOA Security Blueprint:

The fourth design pattern in the IOA Security Blueprint describes why you should locate identity and key encryption management services at the digital edge. These are critical functions in a business environment of bidirectional workflows among dispersed users, data, applications and clouds. These services must constantly fetch credentials and decryption keys, which can cause latency delays if they are not colocated with the applications and data they are meant to protect. In addition, a multicloud environment can cause a proliferation of credential and key copies, increasing complexity and risk. Finally, the lack of integration of on-premises and cloud security services, as well as clear ownership and responsibility for them, represents a significant pain point for businesses and increases operational risk.

Other constraints and forces that affect these critical security services include:

Centrally Located Security Information

Security information has traditionally been centralized due to a natural impulse to protect data that, if compromised, could cripple a business. However, locating identity and encryption key management services at a corporate data center forces all edge security requests to be backhauled over WANs. This can degrade user experience and application performance due to delays caused by high-latency, long-haul networks. This is unfortunate because, according to the Ponemon Institute 2016 survey on encryption trends, 74% of respondents say the most critical feature for an encryption technology solution is managing system performance and latency. The balance between “trust no one” security and reasonable performance is difficult to achieve with remote critical infrastructure services—but the risks need to be mitigated, such as managing multiple identity and key management systems between the on-premises and cloud services providers (CSPs).

Cloud Provider Security Services

CSPs offer security to alleviate a business’s need to backhaul edge traffic to a centralized corporate data center or to address a lack of enterprise expertise on cloud security. However, this approach can increase risk through the proliferation of sensitive data to a diverse and dispersed cloud services landscape, where you have limited control over identity and encryption key management or where the data physically resides. A fragmented approach across different cloud services increases risk, especially when cloud security services have a shared fate with other cloud service dependencies. In addition, there’s the risk of being implicated in a government action taken against a cloud provider (or one of their other customers) resulting in unauthorized access to your data. Given these concerns, it’s no surprise that the second- and third-most important features for an encryption technology solution cited by the Ponemon respondents were maintaining enforcement policies (71%) and supporting both cloud and on-premises deployments (69%).

Costly Corruption and Downtime

When private information is compromised, data can be leaked and/or slowly corrupted over time. The impact can take months to be fully understood and often costs a company hundreds of millions of dollars in remediation. In addition, as businesses grow increasingly dependent on IT services, the impact of IT outages — especially for what is considered “critical infrastructure” (e.g., DNS, directory, identity and key management, network) — can equate to $/second in downtime and reputational damage.

What happens if you don’t address these security challenges? The worst-case scenario is that you could lose your business due to a lack of trust in your company. According to a report by McAfee, 33% of companies surveyed said they believe that accidental or malicious distribution of confidential data could put them out of business. And for small businesses, 60% could go under within just six months after a cyberattack, according to U.S. National Cyber Security Alliance. Even if these dramatic effects are avoided, security challenges slow application performance, heighten organizational risk, increase costs from data loss, corruption and unplanned downtime, and increase operational complexity.

Encrypt security service data with a separate mechanism and “break-glass” procedures.

Note: Public internet applications can also use security services over an ISP link. In addition, security services hosted in a cloud can be extended to other clouds directly and securely through the edge node. There is no need to duplicate them in separate clouds.

The benefits of securing your business at the edge include:

Security services remain in the control of the company at all times, regardless of changes in the use of cloud services. In addition, digital edge nodes enable direct and secure interconnection to CSPs for tighter integration of on-premises and cloud security services.